Monthly Archives: December 2022

Global Study on Zero Trust Security for the Cloud

Implementing Zero Trust security methods doesn’t just safeguard hybrid cloud environments, but actually enables—and likely even accelerates—cloud transformation, according to a survey of nearly 1,500 IT decision makers and security professionals in the U.S., Europe and the Middle East (EMEA) and Latin America (LATAM).

The survey, conducted by Ponemon Institute on behalf of Appgate, the secure access company, reveals a clear link between the implementation of Zero Trust security measures to mitigate distributed IT infrastructure risks and the realization of cloud transformation objectives.

Different cloud environments, but consistent motivations

This report presents consolidated global findings and insights from the research. According to the study, there is enormous cloud environment diversity in respondents’ organizations. Specifically, there are varied mixes of public/private clouds and on-premises infrastructure, different adoption rates for containers and disparate portions of IT and data processing in the cloud. However, as the research reveals, the drivers of cloud investments are broadly consistent from region to region.

Overall, increasing efficiency is the top motivation for cloud transformation, according to 62 percent of respondents. The second most common motivation is reducing costs (53 percent of respondents) followed by a virtual tie between improving security (48 percent of respondents) and shortening deployment timelines (47 percent of respondents).

New cybersecurity risks not addressed by traditional solutions

But cloud transformation has its own set of security risks and challenges. In fact, nearly 50 percent of respondents flag network monitoring and visibility difficulties as the most significant challenge, followed by a lack of in-house expertise (45 percent) and a recognition of the increased attack vectors that come with having more resources in the cloud (38 percent).

To read the entire study, download it from the website.

To hear Larry on a podcast discussing the study, visit the Zero Trust Thirty podcast.

Focusing on specific security threats, 59 percent of study participants indicate account takeover or credential theft is a major concern, just ahead of third-party access risks. This points to widespread worries about secure access to cloud resources by an organization’s users and outside vendors/suppliers alike.

Addressing cloud security risks is a known hurdle, with 36 percent of respondents reporting that the siloed nature of traditional security solutions creates cloud integration challenges. Modern “shift left” development methodologies only partially address the issue and may even add new risks into the mix. For instance, 52 percent of respondents agree or strongly agree that the inability of current network security controls to scale fast enough affects DevOps productivity or introduces vulnerabilities.

Zero Trust Network Access (ZTNA) offers a proven solution

The research also reveals that Zero Trust Network Access (ZTNA) is a practical solution to cloud security pain points poorly addressed by the over-privileged access approach of siloed solutions and traditional perimeter defenses. As evidence, the top two security practices identified as being the most important to achieving secure cloud access are enforcing least privilege access (62 percent of respondents) and evaluating identity, device posture and contextual risk as authentication criteria (56 percent of respondents).

Ranking third and fourth are a consistent view of all network traffic across IT environments (53 percent of respondents) and cloaking servers, workloads and data to prevent visibility and access until the user or resource is authenticated (51 percent of respondents). The robust capabilities of ZTNA directly addresses all four of these major cloud security practices deemed as necessities.

Zero Trust is a victim of its own success

The survey also hints that Zero Trust security may be dismissed by some as a buzzword despite high-profile industry calls for action, including a U.S. White House mandate for federal agencies to meet a series of Zero Trust security requirements by 2024. However, there is evidence that this dismissal is based on a poor understanding of what Zero Trust actually is. For example, of those respondents who have not deployed ZT, roughly a quarter of respondents point to it as being “just about marketing”. Many of these respondents also highlight specific ZTNA capabilities as being essential to protect cloud resources.

Similarly, many of the respondents who indicate that their organizations are not implementing Zero Trust nevertheless believe that security components that strongly align with Zero Trust security principles are important. This further indicates the confusion about what Zero Trust security actually means.

Those who have knowingly adopted Zero Trust tenets (49 percent of respondents) report a range of benefits. Of the 49 percent of respondents, 65 percent of respondents say the top benefit is increased productivity of the IT security team, followed by stronger authentication using identity and risk posture (61 percent of respondents) and a tie between increased productivity for DevOps and greater network visibility and automation capabilities (both 58 percent of respondents).

Zero Trust is an enabler not an add-on

These benefits suggest that Zero Trust goes beyond “simply” protecting valuable data and mission-critical services within hybrid cloud environments.  In fact, it can drive enterprise productivity gains and accelerate digital transformation. In other words, Zero Trust security principles shouldn’t be regarded as something to add after completing a cloud migration, but instead can be recognized as supporting the speeding up and securing of the transformation.

Ultimately, the speed of business is only going to continue to accelerate the adoption of cloud, containers, DevOps and microservices. Zero Trust security can help organizations quickly and securely keep pace with agile cloud deployments. A comprehensive Zero Trust Network Access is the unified policy engine glue that delivers secure access for all users, devices and workloads, regardless of where they reside. The cloud train has left the station and continues to accelerate without regard for increased risk and security complexity. The results of this study demonstrate the ability for Zero Trust security to help security keep pace.

To read the entire study, download it from the website.

To hear Larry on a podcast discussing the study, visit the Zero Trust Thirty podcast.

Zelle might change long-standing unfair policy on fraud refunds — now, onto the rest of our Too Big to Scale problems

Bob Sullivan

Zelle, a favorite tool for online criminals, *might* begin protecting users from scams soon.  Victims who report they’ve been “robbed” by thieves on the service have long been denied dispute rights we take for granted with other kinds of electronic transactions.  Recently, banks leaked a plan to the Wall Street Journal that would reverse this position. According to the story, banks that give an account to a criminal and receive stolen funds would be forced to refund the victim’s bank, which would then refund the victim. This is great news. It would bring P2P payments out of the dark ages.  It would let Zelle thrive the way zero-liability policies turbocharged the credit/debit card market. More important, it would force banks to invest much more time and money into spotting and stopping criminals, since they’d be on the hook for losses.

For now, it’s just a story in the Wall Street Journal — and The New York Times, which really deserves credit for dragging Sen. Elizabeth Warren and her hearing-shaming tactics into this fight.   There’s always the chance this is a stalling tactic. The Consumer Financial Protection Bureau is currently weighing rules that would impose this kind of liability on Zelle-member banks, and it’s long been theorized that banking regulators are weighing a make-an-point lawsuit against Zelle. So don’t count your chickens yet.  But critically, if you are one of the thousands of Zelle victims who’ve reached out to me through the years, keep those records handy.  I doubt banks would make this new policy retroactive on day one, but there may very well be legal opportunities to force their hand.

Don’t expect banks to give up this issue without a fight, however. Zelle is a consortium of the world’s largest banks, and it has been resisting this obvious step for years.  The first time I met with a Zelle representative was in 2018, around the time I’d done a series of stories with devastating examples of Zelle victims.  Creating credit-card-like consumer protections sounded off the table then. And as recently as October, the American Bankers Association drafted a letter to the CFPB opposing any new regulation, claiming it would effectively kill Zelle’s business model.  It’s a manifesto that could apply to any attempt at making banks behave better. Here are some greatest hits from that letter with my notes.

  • In a section arguing why irreversibility — criminals’ favorite feature — is essential to Zelle, the ABA says: “Consumers value the fact that P2P payments are made quickly—and importantly—cannot be reversed. … The finality of payment means recipients can confidently use the money as soon as it is received.” But one paragraph earlier, the ABA writes that Zelle should be used  “to pay the babysitter, lawn mower, or handyman, to send money to a college student, or to repay a friend for dinner or concert tickets.”  Maybe bankers have bad friends and scheming babysitters, but I don’t worry too much about my friends reversing my $40 Zelle payments after lunch.
  • Banks may also have to consider placing “holds” on money sent by P2P, which would fundamentally alter the value and appeal of the “faster payment” product that consumers have overwhelmingly indicated they want.” I’d like to see research on that. People want banks that are safe, first and foremost.  But more to the point, I’d love to examine Zelle’s transaction data, because I have a sneaking suspicion that the vast majority of funds never leave Zelle’s ecosystem.  That is — the $45 you pay a buddy for dinner stays in her Zelle account until she pays $30 to her friend for happy hour next Tuesday.  Speed is not of the essence in those transactions.  This is mere pixel placeholding. I’ve long advocated for a delay when transactions exceed a reasonable threshold — say $200? — or maybe anything that’s 500% more than your typical transactions. Such a threshold would CLEARLY communicate what banks obliquely say in their disclaimers, that Zelle should only be used for friends, family, etc.
    At any rate, there *is* often a delay when consumers try to actually get their money out of P2P apps. It costs up to $25 to get an ‘instant’ transfer from Venmo, otherwise there’s a 1-3 day delay.
  • Banks curiously argue that increasing consumer rights will lead to more fraud. “Shifting liability to banks for authorized but fraudulently induced transactions also will increase scams and embolden scammers. Armed with a written federal government policy stating that consumers are entitled to a return of money sent to scammers, scammers will be better able to induce consumers to send money. They will assure them that there is no downside or risk in sending the money because the bank will reimburse them.”
    This is akin to the Sam Pelzman-like argument that seat belts actually make people less safe because they drive more dangerously. The grain of truth in this argument is swallowed up for real-world data and experience showing that banking professionals are in a far better place to stop fraud than amateur consumers just trying to give each other IOUs and have another drink.
  • This argument shows there are no limits to the strained logic banks are willing to attempt in defense of their scam-infested software.  If higher fraud controls were in place, there would be false positives, and banks would wrongly deny some legitimate transactions. True. But the ABA warns of dire consequences: “For example, a bank might face liability based on the consumer’s claim that the failure to send money caused the consumer to miss out on a profitable investment or purchase opportunity.” If banks are ready to admit their liability for causing lost time and opportunity, I’d think consumers who were wrongly denied loans would get the first number in that massive lawsuit.

You can see why Ed Mierzwinski of the Public Interest Research Group dismissed the ABA’s position as farcical in a recent blog post. “Fire, brimstone, higher costs and other signs of the apocalypse are standard fodder for any industry screed against needed regulation, so I’m not surprised,” he wrote this week.

Specious arguments aside, I’d like to focus on what the ABA says quite plainly in its manifesto against fixing Zell. Fraud on the service is “de minimus.” As in, “too trivial to merit consideration.” Yup. That’s you, bank customers. Too trivial to merit consideration. I’ve written about an elderly woman who didn’t even know she had a Zelle account and had $23,000 stolen from her — about a widow who had every penny of her small business loan stolen via Zelle — about a woman who donated to a friend who needed a kidney transplant, had her account drained, and was forced to make a ‘hostage video.’ In each case, and in hundreds more, banks denied legitimate fraud claims.  Claims that devastate real human beings.  They are all “de minimus.”  Google “Zelle fraud” now, or search Twitter. You won’t be able to read all the results you get.

All those victims are “de minimus.” Too trivial to merit consideration.

And so, dear reader, are you. That’s what passes for a business model in the age of Gotcha Capitalism.  Become as large as possible as fast as possible, and dismiss the collateral damage as de minimus.

I’m belaboring the point because I’ll say to anyone who will listen nowadays — poor customer service is our greatest security vulnerability. Mistreated consumers have become a favorite vector for criminals.  People pay hackers to get their hijacked Instagram accounts back. They pay bots to get a spot on the IRS telephone helpline.  And criminals use this frustration as an easy way to hack corporate networks. Why guess usernames and passwords when you can simply enlist disgruntled consumers to steal for you? The ABA basically admits this.

It is difficult to persuade customers not to send the money because criminals have coached them not to contact or trust the bank,” the AMA writes. Exactly.  Consumers trust random callers rather than their banks when faced with a critical choice. Maybe that sounds absurd until you read the story of a woman who was in the middle of a Zelle scam, walked into a bank, and couldn’t even get help when she put the criminal on speakerphone in the bank lobby.

That’s what a “de minimus” world gets you.  We live in a world where most businesses are Too Big to Scale. They just can’t reasonably service their customers. They use technology to feign a token effort (“Try our self-service app”) but when anything really goes wrong, you’re screwed.  And, you’re de minimus. That is, digital roadkill. There’s no human who can make a reasonable good-faith judgment on your issue; there’s only a software-driven infinite loop saying NO.   Professionalism, morality, the natural human urge to intervene when human suffering lands at your door — these have all been downsized out of the system. “Sorry, grandma, your life savings is gone and we can’t do anything.  Now, how would you rate this customer service interaction? 5 stars? Would you like to apply for an auto loan?”

Too Big to Scale is a problem I will be writing about more in the coming weeks and months. For now, delight in small victories. The Zelle network might do the right thing.  That’s very good news.  Thank a journalist like Stacey Cowley if you get the chance.